Alina, the Latest POS Malware

Security News ThreatsCybercrime Uncategorized

The danger of having the data of thousands of credit cards recorded makes Point of Sale (POS) terminals a critical system, as well as an increasingly sought-after target of cybercrime. Attacking these devices anonymously online is relatively straightforward, and selling the data on the black market is profitable.

We’ve recently detected infections at a significant number of bars and restaurants in the United States whose POS terminals were attacked by two variants of credit card theft malware.

The malware samples that we’ll be analyzing are the following:

File name                          MD5

Epson.exe                           69E361AC1C3F7BCCE844DE43310E5259

Wnhelp.exe                       D4A646841663AAC2C35AAB69BEB9CFB3

Epson.exe presents an invalid certificate:

Both samples were compiled with Microsoft Visual C ++ 8, and are not packaged or encrypted. Once the malware is executed in the system, it proceeds to analyze the different system processes in search of credit cards.

Here we can see how they go through the different processes looking only for those that can contain credit cards in memory:

In the case of the “Epson.exe” sample, it will search for credit cards in the following processes:

Program nameDescription           
notepad++.exeText editor
CreditCardService.exeMicrosoft
DSICardnetIP_Term.exeNETePay for Mercury
DSIMercuryIP_Dial.exeNETePay for Mercury
EdcSvr.exeAloha Electronic Draft Capture (EDC)
fpos.exeFuture POS
mxSlipStream4 / mxSlipStream5 / mxSlipStream.exe / mxSwipeSVC.exeSlipStream POS System Transaction Processor by mXpress
NisSrv.exeWindows 8
spcwin.exe/ Spcwin.exe / SPCWIN.exe /SPCWIN.EXEPOSitouch (Food Service Industry POS System)

On the other hand, the “Wnhelp.exe” sample contains a list that is used to discard the processes to be analyzed. If the process name coincides with any item on the list, it will not be analyzed in the search for credit cards:

Discarded processes:
explorer.exealg.exe
chrome.exewscntfy.exe
firefox.exetaskmgr.exe
iexplore.exespoolsv.exe
svchost.exeQML.exe
smss.exeAKW.exe
csrss.exeOneDrive.exe
wininit.exeVsHub.exe
steam.exeMicrosoft.VsHub.Server.HttpHost.exe
devenv.exevcpkgsrv.exe
thunderbird.exedwm.exe
skype.exedllhost.exe
pidgin.exejusched.exe
services.exejucheck.exe
winlogon.exelsass.exe

In both samples, once the process it wishes to analyze is obtained, whether because it was contained on the list – as with Epson.exe – or because it was discarded – as with Wnhelp.exe – it will create a new thread:

And will then proceed to analyze the memory using an algorithm specifically designed to check whether the found data is from credit cards:

The Wnhelp.exe sample is executed by the attackers with the command “install”, in such a way that it creates a service to ensure its persistence in the system:

The service is called “Windows Error Reporting Service Log”.

The sample Epson.exe works in the same way, although attackers can configure the name of the service as they want through parameters:

install [Service name] [Service description] [Third parameter]

Each variant connects to a different command and control (C&C) server:

Epson.exedropalien.com/wp-admin/gate1.php
Wnhelp.exewww.rdvaer.com/ wp-admin/gate1.php

They can then receive different orders from the attacker:

CommandsDescription
update = [URL]Malware update.
dlex = [URL]Downloads and runs file.
chk = [CRC_Checksum]Updates the file’s checksum.

To connect the control panel, they use the following UserAgent:

“Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.152 Safari/537.22”

The communication is carried out by an SSL. The malware modifies the internet connection configuration to ignore unknown CAs (Certificate Authorities), thereby ensuring that it will be able to use its own certificate.

First it obtains the internet connection security flags through the InternetQueryOptionA API with the third argument set to the value INTERNET_OPTION_SECURITY_FLAGS (31). Once obtained, it carries out a binary OR with the flag SECURITY_FLAG_IGNORE_UNKNOWN_CA (100h).

Conclusion: How to Confront a POS Attack

Attacks on POS terminals are still very popular, especially in countries like the United States where the use of Chip & PIN is not mandatory. Many of these attacks target businesses that do not have specialized personnel in computer science, much less in security, an oversight that attackers can take advantage of.

POS terminals are computers that handle critical data and therefore must be fortified to the maximum in order to shield customer data from the inherent risks. Solutions such as Adaptive Defense 360 help to ensure that no malicious process is executed in these terminals. There is no need to hire a security specialist, because the solution includes Panda Security’s own technicians, who will be responsible for ensuring that everything all executed processes are safe.

https://www.pandasecurity.com/mediacenter/pandalabs/alina-pos-malware/